#include <vnet/devices/dpdk/dpdk.h>
#endif
-#if IPSEC > 0
-#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
-#endif /* IPSEC */
-
#include <stats/stats.h>
#include <oam/oam.h>
-
#include <vnet/ethernet/ethernet.h>
#include <vnet/ethernet/arp_packet.h>
#include <vnet/interface.h>
-
#include <vnet/l2/l2_fib.h>
#include <vnet/l2/l2_bd.h>
#include <vpp-api/vpe_msg_enum.h>
#include <vnet/span/span.h>
-
#include <vnet/fib/ip6_fib.h>
#include <vnet/fib/ip4_fib.h>
#include <vnet/fib/fib_api.h>
#include <vnet/dpo/lookup_dpo.h>
#include <vnet/dpo/classify_dpo.h>
#include <vnet/dpo/ip_null_dpo.h>
-
#define vl_typedefs /* define message structures */
#include <vpp-api/vpe_all_api_h.h>
#undef vl_typedefs
-
#define vl_endianfun /* define message structures */
#include <vpp-api/vpe_all_api_h.h>
#undef vl_endianfun
-
/* instantiate all the print functions we know about */
#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
#define vl_printfun
#include <vpp-api/vpe_all_api_h.h>
#undef vl_printfun
-
#include <vlibapi/api_helper_macros.h>
-
#define foreach_vpe_api_msg \
_(WANT_OAM_EVENTS, want_oam_events) \
_(OAM_ADD_DEL, oam_add_del) \
_(WANT_IP4_ARP_EVENTS, want_ip4_arp_events) \
_(WANT_IP6_ND_EVENTS, want_ip6_nd_events) \
_(INPUT_ACL_SET_INTERFACE, input_acl_set_interface) \
-_(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
-_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
-_(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \
-_(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \
-_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
-_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
-_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
-_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
-_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
-_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
_(DELETE_LOOPBACK, delete_loopback) \
_(BD_IP_MAC_ADD_DEL, bd_ip_mac_add_del) \
_(COP_INTERFACE_ENABLE_DISABLE, cop_interface_enable_disable) \
_(PUNT, punt) \
_(FLOW_CLASSIFY_SET_INTERFACE, flow_classify_set_interface) \
_(FLOW_CLASSIFY_DUMP, flow_classify_dump) \
-_(IPSEC_SPD_DUMP, ipsec_spd_dump) \
_(FEATURE_ENABLE_DISABLE, feature_enable_disable)
#define QUOTE_(x) #x
#define QUOTE(x) QUOTE_(x)
-
typedef enum
{
RESOLVE_IP4_ADD_DEL_ROUTE = 1,
REPLY_MACRO (VL_API_INPUT_ACL_SET_INTERFACE_REPLY);
}
-static void vl_api_ipsec_spd_add_del_t_handler
- (vl_api_ipsec_spd_add_del_t * mp)
-{
-#if IPSEC == 0
- clib_warning ("unimplemented");
-#else
-
- vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
- vl_api_ipsec_spd_add_del_reply_t *rmp;
- int rv;
-
-#if DPDK > 0
- rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
-#endif
-}
-
-static void vl_api_ipsec_interface_add_del_spd_t_handler
- (vl_api_ipsec_interface_add_del_spd_t * mp)
-{
- vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
- vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
- int rv;
- u32 sw_if_index __attribute__ ((unused));
- u32 spd_id __attribute__ ((unused));
-
- sw_if_index = ntohl (mp->sw_if_index);
- spd_id = ntohl (mp->spd_id);
-
- VALIDATE_SW_IF_INDEX (mp);
-
-#if IPSEC > 0
- rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- BAD_SW_IF_INDEX_LABEL;
-
- REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
-}
-
-static void vl_api_ipsec_spd_add_del_entry_t_handler
- (vl_api_ipsec_spd_add_del_entry_t * mp)
-{
- vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
- vl_api_ipsec_spd_add_del_entry_reply_t *rmp;
- int rv;
-
-#if IPSEC > 0
- ipsec_policy_t p;
-
- memset (&p, 0, sizeof (p));
-
- p.id = ntohl (mp->spd_id);
- p.priority = ntohl (mp->priority);
- p.is_outbound = mp->is_outbound;
- p.is_ipv6 = mp->is_ipv6;
-
- if (mp->is_ipv6 || mp->is_ip_any)
- {
- clib_memcpy (&p.raddr.start, mp->remote_address_start, 16);
- clib_memcpy (&p.raddr.stop, mp->remote_address_stop, 16);
- clib_memcpy (&p.laddr.start, mp->local_address_start, 16);
- clib_memcpy (&p.laddr.stop, mp->local_address_stop, 16);
- }
- else
- {
- clib_memcpy (&p.raddr.start.ip4.data, mp->remote_address_start, 4);
- clib_memcpy (&p.raddr.stop.ip4.data, mp->remote_address_stop, 4);
- clib_memcpy (&p.laddr.start.ip4.data, mp->local_address_start, 4);
- clib_memcpy (&p.laddr.stop.ip4.data, mp->local_address_stop, 4);
- }
- p.protocol = mp->protocol;
- p.rport.start = ntohs (mp->remote_port_start);
- p.rport.stop = ntohs (mp->remote_port_stop);
- p.lport.start = ntohs (mp->local_port_start);
- p.lport.stop = ntohs (mp->local_port_stop);
- /* policy action resolve unsupported */
- if (mp->policy == IPSEC_POLICY_ACTION_RESOLVE)
- {
- clib_warning ("unsupported action: 'resolve'");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- p.policy = mp->policy;
- p.sa_id = ntohl (mp->sa_id);
-
- rv = ipsec_add_del_policy (vm, &p, mp->is_add);
- if (rv)
- goto out;
-
- if (mp->is_ip_any)
- {
- p.is_ipv6 = 1;
- rv = ipsec_add_del_policy (vm, &p, mp->is_add);
- }
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
-#endif
-
-out:
- REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_ENTRY_REPLY);
-}
-
-static void vl_api_ipsec_sad_add_del_entry_t_handler
- (vl_api_ipsec_sad_add_del_entry_t * mp)
-{
- vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
- vl_api_ipsec_sad_add_del_entry_reply_t *rmp;
- int rv;
-#if IPSEC > 0
- ipsec_sa_t sa;
-
- memset (&sa, 0, sizeof (sa));
-
- sa.id = ntohl (mp->sad_id);
- sa.spi = ntohl (mp->spi);
- /* security protocol AH unsupported */
- if (mp->protocol == IPSEC_PROTOCOL_AH)
- {
- clib_warning ("unsupported security protocol 'AH'");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- sa.protocol = mp->protocol;
- /* check for unsupported crypto-alg */
- if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
- mp->crypto_algorithm >= IPSEC_CRYPTO_N_ALG)
- {
- clib_warning ("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg,
- mp->crypto_algorithm);
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- sa.crypto_alg = mp->crypto_algorithm;
- sa.crypto_key_len = mp->crypto_key_length;
- clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
- /* check for unsupported integ-alg */
-#if DPDK_CRYPTO==1
- if (mp->integrity_algorithm < IPSEC_INTEG_ALG_NONE ||
-#else
- if (mp->integrity_algorithm < IPSEC_INTEG_ALG_SHA1_96 ||
-#endif
- mp->integrity_algorithm >= IPSEC_INTEG_N_ALG)
- {
- clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg,
- mp->integrity_algorithm);
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
-
-#if DPDK_CRYPTO==1
- /*Special cases, aes-gcm-128 encryption */
- if (mp->crypto_algorithm == IPSEC_CRYPTO_ALG_AES_GCM_128)
- {
- if (mp->integrity_algorithm != IPSEC_INTEG_ALG_NONE
- && mp->integrity_algorithm != IPSEC_INTEG_ALG_AES_GCM_128)
- {
- clib_warning
- ("unsupported: aes-gcm-128 crypto-alg needs none as integ-alg");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- else /*set integ-alg internally to aes-gcm-128 */
- mp->integrity_algorithm = IPSEC_INTEG_ALG_AES_GCM_128;
- }
- else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_AES_GCM_128)
- {
- clib_warning ("unsupported integ-alg: aes-gcm-128");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_NONE)
- {
- clib_warning ("unsupported integ-alg: none");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
-#endif
-
- sa.integ_alg = mp->integrity_algorithm;
- sa.integ_key_len = mp->integrity_key_length;
- clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
- sa.use_esn = mp->use_extended_sequence_number;
- sa.is_tunnel = mp->is_tunnel;
- sa.is_tunnel_ip6 = mp->is_tunnel_ipv6;
- if (sa.is_tunnel_ip6)
- {
- clib_memcpy (&sa.tunnel_src_addr, mp->tunnel_src_address, 16);
- clib_memcpy (&sa.tunnel_dst_addr, mp->tunnel_dst_address, 16);
- }
- else
- {
- clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4);
- clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4);
- }
-
- rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
-#endif
-
-out:
- REPLY_MACRO (VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY);
-}
-
-static void
-vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp)
-{
- vl_api_ikev2_profile_add_del_reply_t *rmp;
- int rv = 0;
-
-#if IPSEC > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- u8 *tmp = format (0, "%s", mp->name);
- error = ikev2_add_del_profile (vm, tmp, mp->is_add);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
-}
-
-static void
- vl_api_ikev2_profile_set_auth_t_handler
- (vl_api_ikev2_profile_set_auth_t * mp)
-{
- vl_api_ikev2_profile_set_auth_reply_t *rmp;
- int rv = 0;
-
-#if IPSEC > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- u8 *tmp = format (0, "%s", mp->name);
- u8 *data = vec_new (u8, mp->data_len);
- clib_memcpy (data, mp->data, mp->data_len);
- error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex);
- vec_free (tmp);
- vec_free (data);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
-}
-
-static void
-vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp)
-{
- vl_api_ikev2_profile_add_del_reply_t *rmp;
- int rv = 0;
-
-#if IPSEC > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- u8 *tmp = format (0, "%s", mp->name);
- u8 *data = vec_new (u8, mp->data_len);
- clib_memcpy (data, mp->data, mp->data_len);
- error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local);
- vec_free (tmp);
- vec_free (data);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY);
-}
-
-static void
-vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp)
-{
- vl_api_ikev2_profile_set_ts_reply_t *rmp;
- int rv = 0;
-
-#if IPSEC > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- u8 *tmp = format (0, "%s", mp->name);
- error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port,
- mp->end_port, (ip4_address_t) mp->start_addr,
- (ip4_address_t) mp->end_addr, mp->is_local);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY);
-}
-
-static void
-vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp)
-{
- vl_api_ikev2_profile_set_ts_reply_t *rmp;
- int rv = 0;
-
-#if IPSEC > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- error = ikev2_set_local_key (vm, mp->key_file);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
-}
-
-static void
-vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp)
-{
- vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
- vl_api_ipsec_sa_set_key_reply_t *rmp;
- int rv;
-#if IPSEC > 0
- ipsec_sa_t sa;
- sa.id = ntohl (mp->sa_id);
- sa.crypto_key_len = mp->crypto_key_length;
- clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
- sa.integ_key_len = mp->integrity_key_length;
- clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
-
- rv = ipsec_set_sa_key (vm, &sa);
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
-}
-
static void vl_api_cop_interface_enable_disable_t_handler
(vl_api_cop_interface_enable_disable_t * mp)
{
}
}
-static void
-send_ipsec_spd_details (ipsec_policy_t * p, unix_shared_memory_queue_t * q,
- u32 context)
-{
- vl_api_ipsec_spd_details_t *mp;
-
- mp = vl_msg_api_alloc (sizeof (*mp));
- memset (mp, 0, sizeof (*mp));
- mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
- mp->context = context;
-
- mp->spd_id = htonl (p->id);
- mp->priority = htonl (p->priority);
- mp->is_outbound = p->is_outbound;
- mp->is_ipv6 = p->is_ipv6;
- if (p->is_ipv6)
- {
- memcpy (mp->local_start_addr, &p->laddr.start.ip6, 16);
- memcpy (mp->local_stop_addr, &p->laddr.stop.ip6, 16);
- memcpy (mp->remote_start_addr, &p->raddr.start.ip6, 16);
- memcpy (mp->remote_stop_addr, &p->raddr.stop.ip6, 16);
- }
- else
- {
- memcpy (mp->local_start_addr, &p->laddr.start.ip4, 4);
- memcpy (mp->local_stop_addr, &p->laddr.stop.ip4, 4);
- memcpy (mp->remote_start_addr, &p->raddr.start.ip4, 4);
- memcpy (mp->remote_stop_addr, &p->raddr.stop.ip4, 4);
- }
- mp->local_start_port = htons (p->lport.start);
- mp->local_stop_port = htons (p->lport.stop);
- mp->remote_start_port = htons (p->rport.start);
- mp->remote_stop_port = htons (p->rport.stop);
- mp->protocol = p->protocol;
- mp->policy = p->policy;
- mp->sa_id = htonl (p->sa_id);
- mp->bytes = clib_host_to_net_u64 (p->counter.bytes);
- mp->packets = clib_host_to_net_u64 (p->counter.packets);
-
- vl_msg_api_send_shmem (q, (u8 *) & mp);
-}
-
-static void
-vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
-{
- unix_shared_memory_queue_t *q;
- ipsec_main_t *im = &ipsec_main;
- ipsec_policy_t *policy;
- ipsec_spd_t *spd;
- uword *p;
- u32 spd_index;
-#if IPSEC > 0
- q = vl_api_client_index_to_input_queue (mp->client_index);
- if (q == 0)
- return;
-
- p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
- if (!p)
- return;
-
- spd_index = p[0];
- spd = pool_elt_at_index (im->spds, spd_index);
-
- /* *INDENT-OFF* */
- pool_foreach (policy, spd->policies,
- ({
- if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
- send_ipsec_spd_details (policy, q,
- mp->context);}
- ));
- /* *INDENT-ON* */
-#else
- clib_warning ("unimplemented");
-#endif
-}
-
static void
vl_api_feature_enable_disable_t_handler (vl_api_feature_enable_disable_t * mp)
{
Code Review / vpp.git / blobdiff